Cool, I will be interested to see what you find. That said, regardless of what the initial extension is, my point is that you can't think of these defenses as a way to keep the uploaded binary from *ever* getting on your server -- but all the defensive tactics you and I and Billy and Ajas are using are best thought of as deciding what to do with the binary now that it's there. Using a directory out of the web tree (whether a temp dir or not) is like having a quarantine area. The most common file-upload exploit I've heard about is to upload an .exe as if it were a .gif or .jpg, because if the file isn't quarantined appropriately then viewing the "image" could execute evil, bad, nasty code from evil, bad, nasty hackers who will come steal your brains. And money.
On Thu, Jul 30, 2009 at 3:09 PM, Mike G <[email protected]> wrote: > > That is a good point, but I don't think CF works that way. I am > pretty sure that input type=file uploads the file to a file on the > server with a .tmp extention and THEN cf processes it. The reason I > think this is that if you try to upload a file that takes longer than > the web servers http timeout value CF cannot find the file even though > it is a .tmp in the temp folder. This piques my interest enough (and > since I have about a 100 websites that do the same thing) that I will > be doing some hard core testing this evening. I'll post what I find > out after I am done. > > I do do client side checking with JavaScript (with it's inherent > flaws) to check the ext in the field onsubmit, and if you use cfinput > type =file in cf8, you may be able to do a regex match server side on > the file ext; I know that the regex works with a regular input field; > never tried it with a type=file field to see if it evals BEFORE the > file upload to a .tmp file. My guess is not. > > Will let you know what I find > > M > > On Thu, Jul 30, 2009 at 2:52 PM, Billy Cravens<[email protected]> wrote: > > I doubt he wants to do that. Then he'd be letting the file onto the file > > system, which is what he's avoiding to begin with. By restricting the > file > > type in the cffile tag, the file never gets saved to the file system, and > > the cffile structure is never set. > > -- > > Billy Cravens > > > > On Thu, Jul 30, 2009 at 2:28 PM, Mike G <[email protected]> wrote: > >> > >> Are you trying to catch on upload, or catching as soon as you start > >> trying to process the uploaded file. > >> > >> If the latter, in the top of your cftry, evaluate cfile.serverfile > >> extension (don't have the docs in front of me for the exact var that > >> holds it) If it is not an allowable type, then use cfthrow and throw > >> a custom exception. Then in you cfcatch, trap for that custom > >> exception. pretty simple to do. > >> > >> On Thu, Jul 30, 2009 at 2:12 PM, Mark Davis<[email protected]> > >> wrote: > >> > hey gang, > >> > > >> > I have some pages where users upload photos and resumes. The mime > types > >> > allowed are limited to standard stuff. The page is wrapped in a > >> > try/catch, > >> > that currently logs everything to one certain log file. We get a lot > of > >> > "errors" where the user is trying to upload an exe as a photo and > crazy > >> > stuff like that. I want a specific cfcatch type="" to catch only > those > >> > errors for mime type exceptions, handle those one way, then catch > >> > everything > >> > else and handle a different way. I have the everything else, but I am > >> > having issues figuring out the mime type catch. anyone? thanks > >> > > >> > > >> > > >> > Mark Davis | Developer > >> > > >> > > >> > > ......................................................................................................................... > >> > > >> > Round Table Group, Inc. > >> > > >> > (281) 717-4575 > >> > > >> > [email protected] > >> > > >> > www.roundtablegroup.com > >> > > >> > > >> > > ......................................................................................................................... > >> > > >> > > >> > > >> > The Leading Authority in Expert Witness Search & ReferralTM > >> > > >> > CONFIDENTIALITY NOTE: This e-mail, and any attachments thereto, is > >> > intended > >> > only for use by the addressee(s) named in the message originated by me > >> > and > >> > may contain legally privileged and/or confidential information. If the > >> > reader of this message is not the intended recipient, you are hereby > >> > notified that any dissemination, distribution or copying of this > >> > communication is strictly prohibited. If you have received this email > in > >> > error, please notify me immediately by telephone and permanently > delete > >> > the > >> > original and any copy of the email, and any printout thereof. Thank > you. > >> > > >> > > >> > > > >> > > >> > >> > > > > > > > > > > > > > > > > > > > --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the "Houston ColdFusion Users' Group" discussion list. To unsubscribe, send email to [email protected] For more options, visit http://groups.google.com/group/houcfug?hl=en -~----------~----~----~----~------~----~------~--~---
